Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Ransomlock.T

Trojan.Ransomlock.T

By ESGI Advisor in Trojans

Threat Scorecard

Threat Level: 90 % (High)
Infected Computers: 103
First Seen: October 4, 2012
Last Seen: May 13, 2026
OS(es) Affected: Windows

Trojan.Ransomlock.T is a Trojan that is used by cybercriminals to spread the Police Service of Nothern Ireland ransomware to the targeted PCs. Trojan.Ransomlock.T locks the infected computer and does not let the PC user to use the machine. Trojan.Ransomlock.T asks the victim to pay the so-called fine to unlock the computer. While being run, Trojan.Ransomlock.T copies itself to the specificlocation of the affected computer system. Trojan.Ransomlock.T creates the particular registry entry, which allows it to load automatically whenever you start Windows. Trojan.Ransomlock.T also creates the particular registry entry in order to involve itself into the list of programs authorized by the Windows firewall. After the computer is locked, Trojan.Ransomlock.T illustrates a bogus warning, which blames PC users of the violation of the certain copyright law and asks to make an online transaction of $200 via a MoneyPak.

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
Panda Trj/Agent.MIZ
Sophos Troj/DotNet-B
CAT-QuickHeal Trojan.Genome.airjn.cw3
Fortinet W32/Small.PNV!tr
Ikarus Trojan-Downloader.Agent
AhnLab-V3 Trojan/Win32.Genome
Microsoft Trojan:MSIL/Wantia.A
Comodo TrojWare.Win32.Trojan.Svchost
Kaspersky Trojan.Win32.Genome.airjn
eSafe Win32.Trojan
K7AntiVirus Trojan
McAfee Downloader.a!c2c
Panda Trj/CI.A
AVG Downloader.Agent2.BHQG
AhnLab-V3 Trojan/Win32.Ransomlock

SpyHunter Detects & Remove Trojan.Ransomlock.T

File System Details

Trojan.Ransomlock.T may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. svchost.exe dc5e6611ff13b4321095098400d586e8 51
2. %UserProfile%\Application Data\system\[THREAT FILE NAME].exe
3. %SystemDrive%\RECYCLER\find_me.tmp
4. %UserProfile%\Application Data\rt1.png

Registry Details

Trojan.Ransomlock.T may create the following registry entry or registry entries:
HKEY..\..\..\..{RegistryKeys}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Update" = "%UserProfile%\Application Data\system\[THREAT FILE NAME].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe, %UserProfile%\Application Data\system\[THREAT FILE NAME].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"Update" = "%UserProfile%\Application Data\system\[THREAT FILE NAME].exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%UserProfile%\Application Data\system\[THREAT FILE NAME].exe" = "%UserProfile%\Application Data\system\[THREAT FILE NAME].

Analysis Report

General information

Family Name: Trojan.Kazy.F
Signature status: No Signature

Known Samples

MD5: d000f4216eda45c110d33c29faaa0fc0
SHA1: 453c6ec2b92cb832df7e5839b893c6fd9b03cd1c
SHA256: 1F985D96637A788483CFB3A363B8167EBF663E542B9B56C1B23A67D073C89F39
File Size: 947.44 KB, 947439 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have security information
  • File has exports table
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Traits

  • dll
  • HighEntropy
  • VirtualQueryEx
  • x86

Block Information

Total Blocks: 2,605
Potentially Malicious Blocks: 227
Whitelisted Blocks: 1,408
Unknown Blocks: 970

Visual Map

? 0 0 0 ? x 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 0 0 ? ? ? ? x x x x 0 0 x ? 0 ? ? 0 ? ? 0 ? 0 ? ? ? 0 x 0 0 ? 0 x x 0 ? ? x 0 x x x 0 ? ? x ? 0 ? 0 ? ? ? 0 0 0 0 ? ? 0 0 0 0 ? 0 ? 0 0 0 ? ? ? x ? ? x 0 0 0 0 0 0 ? x 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? x 0 ? ? ? 0 ? ? ? ? 0 0 ? ? x ? ? ? ? ? x ? 0 ? ? ? x x x ? ? 0 ? 0 x 0 ? x x 0 0 0 x ? ? 0 x 0 x x 0 0 0 0 ? ? ? ? 0 0 ? ? ? ? 0 0 ? x x 0 ? ? x 0 ? 0 ? 0 0 ? x ? 0 x ? x 0 x 0 0 0 0 0 x 0 x x 0 ? 0 ? x x 0 x x x x 2 x x x x x x 0 0 x x 0 ? x x ? 0 x 0 x x 0 x 0 x x x x x x ? x x ? 0 0 ? 0 0 ? ? ? ? ? ? 0 ? x x ? ? ? ? x 0 x x 0 ? ? ? 0 ? ? ? ? ? 0 ? x x ? 0 ? 0 x x x x 0 ? x x x x 0 ? ? ? ? ? ? 0 x 0 0 0 ? ? ? ? ? ? ? ? ? 0 x x x x 0 ? ? 0 ? x 0 ? x ? ? 0 0 ? ? ? ? 0 ? ? 0 ? x x ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? 0 ? 0 ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? ? ? x x 0 ? ? ? x ? 0 0 ? ? 0 0 0 0 0 ? ? ? ? ? ? ? 0 0 x 0 0 ? ? 0 0 ? ? ? ? 0 ? 0 ? ? ? ? 0 ? 0 ? ? 0 ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? 0 0 ? ? ? 0 0 ? ? ? 0 0 x 0 ? ? ? ? 0 ? ? ? ? ? ? 0 ? 0 0 0 ? ? ? 0 0 ? 0 0 ? ? ? ? ? ? 0 ? 0 0 0 ? ? ? 0 0 ? ? ? ? ? 0 ? ? ? ? 0 0 ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? x ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? ? 0 0 0 0 ? ? 0 0 0 ? 0 0 ? ? x 0 ? x 0 0 x 0 0 x 0 0 ? ? x 0 ? ? ? ? ? 0 0 0 ? ? ? ? ? ? x x x x 0 ? ? ? ? ? ? 0 0 0 ? ? ? ? ? ? 0 ? ? ? 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? x x 0 0 ? ? x x 0 ? ? ? ? 0 x ? ? x 0 ? ? ? x 0 ? 0 0 ? 0 ? 0 ? 0 0 ? ? ? 0 0 0 ? ? 0 ? ? ? 0 ? ? ? 0 0 0 0 ? ? x x 0 x x x 0 ? ? 0 0 0 0 0 ? ? 0 0 ? ? ? 0 ? ? 0 ? 0 0 ? ? ? ? ? 0 0 ? ? x ? 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? 0 ? 0 ? 0 ? ? ? 0 ? ? ? 0 0 0 0 0 ? ? ? ? 0 ? ? ? ? ? ? ? x ? ? 0 ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? ? ? ? 0 0 ? ? ? ? ? ? 0 ? 0 ? ? 0 ? 0 ? ? ? ? ? 0 ? ? 0 x 0 ? ? ? ? 0 0 0 ? ? 0 x 0 ? 0 0 ? ? ? ? 0 ? ? 0 ? ? ? 0 ? ? ? ? ? ? ? ? ? ? x 0 ? 0 ? ? ? x x x x x ? ? ? ? ? ? 0 0 0 ? ? ? ? ? 0 ? ? ? ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? x 0 ? ? ? ? ? ? ? 0 ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 ? 0 ? ? ? 0 ? ? ? ? ? ? ? ? x 0 ? ? ? x 0 x 0 0 0 0 ? ? ? ? 0 0 ? 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? ? ? 0 0 0 ? ? x x x x x ? 0 0 0 ? ? 0 0 ? ? x ? 0 ? ? ? ? 0 ? 0 ? ? ? 0 ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? ? ? 0 ? 0 0 0 0 ? ? ? ? ? 0 ? ? ? ? 0 ? ? ? ? ? 0 ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x x 0 x x 0 ? 0 0 ? ? x ? 0 ? ? ? 0 ? ? ? 0 0 0 ? x 0 0 ? ? 0 0 x 0 0 ? 0 0 0 0 0 1 1 0 1 1 0 2 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 1 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 1 0 0 0 0 0 1 0 1 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 3 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 3 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 1 1 1 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 ? 0 0 0 0 ? 0 ? ? 0 ? ?
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\windows Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKLM\software\classes\.udf::sniff type 敮浴湡攮數 RegNtPreCreateKey
HKLM\software\classes\.udf::sniff type 楷敲桳牡⹫硥e RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtQueryAttributesFile
Show More
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWriteFile
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Anti Debug
  • NtQuerySystemInformation

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\453c6ec2b92cb832df7e5839b893c6fd9b03cd1c_0000947439.,LiQMAxHB

Trending

Most Viewed

Loading...